Washington could be the next U.S. state to enact consumer privacy legislation similar to the EU's General Data Protection Regulation (GDPR). On Wednesday, the Washington state senate overwhelmingly approved the Washington Privacy Act, SB 5376 (the "WPA") which takes its cues from the GDPR playbook to address consumer privacy concerns.
Under the WPA, companies must be transparent and accountable for how they process consumer data, which includes providing a clear and meaningful privacy notice that describes the types of data collected, the purposes for collecting such data, and how the data is used, including whether the data is shared with or sold to third parties. In an effort to assist companies in being transparent, the WPA also requires companies to conduct risk assessments to determine whether their data collection procedures are putting consumer privacy rights at risk. Where a company’s data collection practices go against consumer privacy rights, the company must have express consumer consent before collecting personal data.
The WPA gives individual consumers the right to request that a company: (1) fully disclose what kinds of personal information they are holding and how they are using it; (2) modify or correct an individual’s personal data; (3) delete an individual’s personal data; and (4) limit how an individuals’ personal data may be used. The WPA also gives consumers the right to withdraw previous consent for the use of personal data.
The WPA also addresses consumer privacy in the context of facial recognition technology and requires facial recognition technology providers to contractually prohibit their customers from using the technology to unlawfully discriminate against individuals or groups of consumers.
The WPA applies to companies that conduct business in Washington or intentionally target Washington residents, who also either (1) control or process data of at least 100,000 consumers or (2) derive at least 50% of their gross revenue from the sale of personal data and also control or process data of at least 25,000 consumers.
The WPA does not create a private right of action for individual consumers, but gives the state attorney general the right to bring an action in the name of affected Washingtonians. Companies in violation of the Act will have a 30-day period to cure any violations and otherwise will be subject to a $2,500 civil penalty for each violation, or $7,500 for each violation that is found to be intentional. The bill now moves to the House which is also reviewing a companion bill.
Washington State’s move to bolster state mandated consumer privacy protections follows on the heels of the passage of the California Consumer Privacy Act of 2018 (“CCPA”) which goes into effect January 1, 2020. The CCPA requires businesses to provide notice to consumers regarding the personal information collected and shared, along with notice of consumer’s rights with respect to that personal information. Notably, the CCPA contains a broad, seemingly all-encompassing definition of the term consumer that would include employees and business contacts. Unlike the WPA, the CCPA includes a private right of action, which could be expanded under recently introduced legislation (SB 561) which also removes the 30 day cure period for businesses receiving a notice of an alleged violation.
Legislation similar to the CCPA has been introduced in Hawaii (SB418, introduced January 2019), Massachusetts (SD341, introduced January 2019), New Mexico (SB176, introduced January 2019), Rhode Island (S0234, introduced January 2019), and Maryland (SB0613, introduced February 2019).
If approved, the Washington State Privacy Act would go into effect July 31, 2021.